defguard icon indicating copy to clipboard operation
defguard copied to clipboard
verified publisher icon DefGuard

Adding IP's to allowed list, not reachable

Open FDrebin opened this issue 1 year ago • 1 comments

Describe the bug When adding additional IP addresses or ranges (x.x.x.x/xx) , it does not appear to reflect on the clients after connection as IP's or IP's in the specified range(s) are unreachable.

IP used by Gateway 172.1.1.1/24 IP range I am trying to reach 10.1.50.0/32

To Reproduce Steps to reproduce the behavior: Login to the def guard portal Select a gateway Add a new IP range to allowed list Save changes Connect client Try to reach an IP within the newly added range

Expected behavior IP is reachable within the added range(s)

Version information

  • Defguard Core version: latest (at time of writing this report)
  • Defguard Gateway version: latest (at time of writing this report)
    • Operating system and version running the gateway: Ubuntu Server 24.04.1 LTS
  • Your browser and version : FireFox 130.0.1

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Trying to allow Defguard to reach my network to access other resources that are not leveraging Def Guard

FDrebin avatar Sep 28 '24 18:09 FDrebin

It also appears I am unable to reach the internet while connected to DefGuard, doing a ping to 1.1.1.1 returns no response.

FDrebin avatar Sep 30 '24 16:09 FDrebin

It also appears I am unable to reach the internet while connected to DefGuard, doing a ping to 1.1.1.1 returns no response. @FDrebin

Have you been able to resolve this? I'm facing the same problem.

I've tried on

  • server: v0.11.0 and v1.0.0-alpha1
  • client: v0.4.0 and v0.5.0-beta1 and normal WireGuard Client

Tried Allowed IPs:

  • 0.0.0.0/0 (,::/0)
  • 0.0.0.0/1,128.0.0.0/1
  • some more specific cidrs

With all these configurations I can access local services, but no internet connectivity. From within the container shell i can ping 1.1.1.1, when connected through vpn, i cannot.

thaemisch avatar Oct 30 '24 12:10 thaemisch

@thaemisch

I was not able to resolve it, I was not even able to reach internal IP's. I was only able to ping the IP of the gateway, was never able to reach anywhere else.

I actually went and stood up wg-easy and have had zero issues since.

FDrebin avatar Oct 30 '24 12:10 FDrebin

@FDrebin @thaemisch VPN is one thing, but there needs to be at least routing configured on the server or NAT. Here are the details for nat: https://docs.defguard.net/tutorials/step-by-step-setting-up-a-vpn-server#enabling-to-access-internet-through-your-vpn

teon avatar Oct 30 '24 18:10 teon

It works now, thank you so much for your support! I had enabled forwarding, but disabled iptables since Oracle Cloud layers another firewall on top, managed through web interface.

Now that I can use it properly I can say, you guys have built an awesome thing here - thank you!

thaemisch avatar Oct 30 '24 20:10 thaemisch

@thaemisch thank you!

teon avatar Oct 30 '24 21:10 teon